[OpenID] security weakness regarding authentication of the relying party

[Francisco Corella]

Hi all,

There is a security weakness in OpenID which may be already
known but is not discussed in the security considerations
section of the specification.  It hinges on the fact that
the OpenID provider does not authenticate the relying party.
I discuss the issue in detail in a paper.

OAuth solves this problem in theory by requiring the OAuth
client (the relying party) to register with the OAuth
server.  But Google and Yahoo allow unregistered
applications, so the problem remains.  Btw compulsory
registration is a bad idea: imagine a situation where
a social site becomes dominant, social login via that site
becomes the de facto authentication standard on the Web,
every application has to register with the site, and the
site can kill any application by revoking its registration.

The paper proposes a solution to all this.  Thanks in
advance for any comments.

-- Francisco

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101222/392332da/attachment.html>